ftp / sftp / the point

I use Filezilla to transfer files (I use winSCP for editing because upoading is painfully slow due to the nature of the program). Now… in Filezilla I have some options for transfer:

  1. FTP
  2. FTP over SSL/TLS(using encryption)
  3. FTP over SSL(explicit encryption)
  4. SFTP using SSH
  5. FTP over TLS(explicit encryption)

Pardon me for being thick, but what’s the point? I expect to be corrected but from what I read I can’t figure it out. This is what I can’t figure:
Here on my machine nothing is encrypted. On the server nothing is encrypted. So it seems that when I choose to use a secure ftp, all I am doing is protecting the data in transit. But the ftp connection on the server couldn’t care – I use the same password for ftp or any of the others. So if all I’m doing is protecting the transfer then if what I’m doing is innocent (all of what I upload/download with ftp) then why use this encryption? Especially when it slows things down? The IP I’m going to can’t be encrypted can it? So they know the IP so they could try and batter their way in if they wanted. If it’s to stop ‘snooping’ or ‘packet sniffing’ or whatever it is then surely using encryption indicates something?
I can see why I might encode a letter to a friend – I suppose this is similar? In which case you would use ftp when uploading blog files but sftp when uploading plans for illegal activities? I can’t help but feel that for the vast majority of people this stuff just doesn’t matter – and for those individuals that are left it also doesn’t really matter. If someone important wants your data they’ll just take it. Or is there actually a sound reason to use the secure route?

2 thoughts on “ftp / sftp / the point

  1. FTP transfers data in plaintext, including the initial login process. So your FTP password is passed over the wire in a plainly readable way. If you’re using a laptop in a coffeeshop, and you FTP up a quick change to a site, a malicious person can watch the traffic, see your username and password, and then log in as you.

    Worse still, the data going across is plaintext, too. So that means that the wp-config.php file, with your database credentials, is going to be visible to anyone who watches.

    If you’re doing it from home, the chances of an employee at your ISP snooping your traffic is extremely low. But can you be absolutely sure that at each hop along the way there’s no one watching your traffic?

  2. As skippy said the bad thing about ftp is that your username, password and file goes across in plaintext. With sftp this is all encrypted and hidden from any snooper along the packet path.

    sftp also has the benefit that once you have accepted the identity of a remote site and cached it’s public key you are protected against a man-in-the-middle attack where someone tries to steal you username and password by trying to pretend to be the remote server – for example by hacking the dns so that the domain name points at a different server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.